[00:01.040 --> 00:07.420]  Hi, my name is Camila. I'm a security researcher at DreamLab Technologies and also a 3D printing
[00:07.420 --> 00:12.540]  enthusiast. And today we are going to talk about bypassing biometric systems
[00:12.540 --> 00:16.880]  with and without the help of 3D printing technologies.
[00:19.040 --> 00:26.540]  Humans have used features such as face, voice, and gait for thousands of years to recognize each
[00:26.540 --> 00:32.740]  other. But only recently, humans have started using biometric-based systems to authenticate
[00:32.740 --> 00:40.820]  individuals. Biometrics is the science of establishing or determining an identity based
[00:40.820 --> 00:48.380]  on the physical or behavioral traits of an individual, such as the ones we can see here
[00:48.380 --> 00:57.660]  in the slide. Fingerprints, DNA, signature, iris, face, voice, gait, vein pattern, ear shape,
[00:57.660 --> 01:07.270]  keystroke dynamics, and more. Biometric systems are essentially pattern recognition systems
[01:07.270 --> 01:14.250]  that read as input biometric data, extract the feature set from such data, and finally
[01:14.250 --> 01:21.290]  compare it with a template set stored in the database. If the extracted feature set
[01:21.290 --> 01:29.270]  from the given input is closed to a template set stored in the database, then the user is granted
[01:29.270 --> 01:41.760]  access. But biometric systems are prone to different attacks. Direct attacks, presentation,
[01:41.760 --> 01:49.320]  or spoofing attacks are performed at the sensor level. The sensor is full and not replaced nor
[01:49.320 --> 01:56.880]  tampered. Indirect attacks are performed inside the biometric system by, for example, bypassing
[01:56.880 --> 02:02.920]  or overriding the capture device, the signal processor, the comparator, or the decision
[02:02.920 --> 02:10.600]  engine, manipulating the data in the biometric reference database, or exploiting possibly
[02:10.600 --> 02:17.620]  weak points in the communication channels between the different components. But during this talk,
[02:17.620 --> 02:28.320]  we are going to focus on this, on presentation attacks, this part of the system.
[02:32.080 --> 02:39.180]  Now we are going to see presentation attacks in reality. These are real cases of criminals
[02:39.180 --> 02:47.060]  using silicon masks to fool security cameras, airport security, and facial recognition systems.
[02:47.080 --> 02:52.700]  The first one is a suspect in the robbery of a North Carolina bank.
[02:54.100 --> 03:01.920]  This one robbed four banks and a CVS pharmacy with a silicon mask from an online site. I think the
[03:01.920 --> 03:13.460]  of the mask name is The Player, from SPFXmask. It's a site that now is closed, but it used to sell
[03:14.820 --> 03:23.520]  this type of realistic masks. The third one is a suspect accused of robbery and several
[03:23.520 --> 03:31.540]  other crimes committed using a generic mask made by another online site. The name of this
[03:31.540 --> 03:39.820]  of this mask model is The Neighbor. And the last one is a passenger who boarded a plane in Hong Kong
[03:39.820 --> 03:52.650]  as an old man in a flat cap, but arrived in Canada as a young man. Regarding fingerprint biometric
[03:52.650 --> 04:01.110]  systems, this first case is a Brazilian doctor who faced charges of fraud after being caught
[04:01.110 --> 04:07.730]  on camera using silicon fingers to sign in for work for absent colleagues.
[04:08.270 --> 04:16.970]  The second case is a gang involved in the illegal preparation, this is the image, the illegal
[04:16.970 --> 04:23.650]  preparation and selling of cloned fingerprints to fool biometric attendance systems of several
[04:23.650 --> 04:32.090]  educational institutions. The last case was in my country, Argentina. Six employees of the local
[04:32.090 --> 04:39.830]  airline were fired after discovering that they falsified their entry to work with silicon fingers
[04:39.830 --> 04:48.330]  taking turns to attend. But on weekends, when the payment is double, all six attended to work.
[04:51.740 --> 05:00.080]  But how 3D printing could help bypass biometric systems? In this first case, researchers from
[05:00.080 --> 05:10.000]  Forbes fooled Android facial recognition systems with a 3D printed head. In this second case,
[05:10.000 --> 05:18.660]  the MSU Michigan State University team created a fake finger by 3D printing a mold.
[05:21.140 --> 05:28.120]  And in this last case, a group of researchers from BCAB demonstrated that it was possible to
[05:28.120 --> 05:35.740]  bypass the face recognition logging mechanism of the iPhone X using a cheap 3D printed mask
[05:35.740 --> 05:46.750]  made from a stone powder. I love 3D printing, I have two 3D printers at home, why not make my own
[05:46.750 --> 05:53.910]  experiments for bypassing biometric systems? But first, I wanted to try the traditional methods
[05:53.910 --> 06:00.050]  for attacking biometric systems to better understand how 3D printing technology will help
[06:00.050 --> 06:09.880]  make these attacks faster and better. But first, we need to know how is the fingerprint
[06:09.880 --> 06:18.870]  recognition process. Most fingerprint scanners compare distinctive features of the fingerprint,
[06:19.120 --> 06:26.420]  generally known as minutia. Typically, investigators concentrate on points where
[06:26.420 --> 06:35.440]  rich lines end or where one rich splits into two called bifurcations. Collectively,
[06:35.440 --> 06:45.740]  another distinctive feature, such as you can see here, delta, a short ridge, a spore,
[06:45.740 --> 06:56.880]  the bifurcation, rich enclosure, a crossover or ridge, an island, all these features together
[06:56.880 --> 07:08.320]  are called typica. The scanner uses complex algorithms to recognize and analyze these
[07:08.320 --> 07:14.980]  distinctive features. The basic idea is to measure the relative positions of the features
[07:14.980 --> 07:23.960]  in the same sort of way you might recognize a part of the sky by the relative position of the stars.
[07:23.960 --> 07:32.820]  But to get a match, the scanner doesn't have to find the entire pattern of distinctive features,
[07:32.820 --> 07:38.280]  both in the sample and in the print from the biometric database.
[07:38.280 --> 07:44.840]  It simply has to find a sufficient number of features and patterns that the two prints have
[07:44.840 --> 07:56.050]  in common. There are many fingerprint sensors on the market. These are optical sensors,
[07:56.050 --> 08:04.790]  you can recognize them for the light, in general they use light. These are capacitive sensors,
[08:04.790 --> 08:16.010]  and the last one is an ultrasonic sensor. Optical fingerprint sensors are the oldest method of
[08:16.010 --> 08:22.950]  capturing and comparing fingerprints. This technique relies on capturing an optical image
[08:22.950 --> 08:30.790]  and using algorithms to detect unique patterns on the surface by analyzing the lightest and
[08:30.790 --> 08:43.360]  darkest areas of the image. Capacitive fingerprint scanners, instead of creating a traditional image
[08:43.360 --> 08:50.840]  of a fingerprint, they use the body natural capacitance to read the fingerprints,
[08:51.480 --> 08:53.940]  because the charge stored in the capacitor
[08:55.400 --> 09:03.140]  will be changed slightly when a finger reach here is placed over the conductive plate,
[09:03.140 --> 09:11.080]  while an air gap or a finger ballet will leave the charge at the capacitor relatively unchanged.
[09:11.480 --> 09:18.860]  These changes can then be recorded and analyzed to look for distinctive and unique fingerprint
[09:18.860 --> 09:28.220]  attributes. The latest fingerprint scanning technology is the ultrasonic sensor. To capture
[09:28.220 --> 09:36.060]  the details of a fingerprint, the hardware consists of both an ultrasonic transmitter and a receiver.
[09:36.480 --> 09:43.400]  An ultrasonic pulse is transmitted against the finger that is placed over the scanner. Some of
[09:43.400 --> 09:49.840]  the ultrasonic pulse is absorbed and some of it is bounced back to the sensor, depending upon the
[09:49.840 --> 09:56.820]  unique details of each fingerprint. The sensor then calculates the intensity of the returning
[09:56.820 --> 10:04.220]  ultrasonic pulse at different points, resulting in a very detailed reproduction of the scanned
[10:04.220 --> 10:13.690]  fingerprint. Now, for our test, the devices to be tested are four.
[10:15.050 --> 10:19.590]  Two biometric attendance systems with optical sensors,
[10:21.530 --> 10:28.530]  and two mobile phones, one with the capacitive sensor and the other one with an ultrasonic sensor.
[10:34.590 --> 10:40.710]  This is the first photo of the materials bought for the experiments, and includes a lot of
[10:40.710 --> 10:48.150]  materials. Alginate, a hot glue gun, gelatin powder, gummy bears, candle wax, transparent tape,
[10:48.150 --> 10:55.610]  play-doh, instant glue, epoxy putty, UV resin, silicone fingertips, fingerprint ink, and more.
[10:56.250 --> 11:02.630]  But during the test, I realized that I missed important materials, like, for example,
[11:02.630 --> 11:09.090]  silicone, liquid latex, wood glue, and so much more, and the list grew, and grew a lot.
[11:12.620 --> 11:19.780]  The first attack to test was the grease attack. For grease attacks, you need to have a clear
[11:19.780 --> 11:28.760]  grease stain left on the surface of the fingerprint scanner, but this stain must have most of the
[11:28.760 --> 11:34.940]  important features of the fingerprint left on the pad, so that the scanner can reliably read
[11:34.940 --> 11:42.120]  the same line ends and curves that it detected on the previous user. The idea of the attack
[11:42.600 --> 11:49.120]  is to gently press different materials, such as gummy bears, play-doh, silicone fingertips,
[11:49.120 --> 11:56.740]  and latex gloves, against the fingerprint scanner, but with care, with careful, without
[11:56.740 --> 12:09.950]  ruining the stain. Here are the results of the grease attacks. With gummy bears, play-doh,
[12:09.950 --> 12:16.210]  latex gloves, and silicone fingers, the scanner detected a finger, but the fingerprint was not
[12:16.210 --> 12:22.490]  clear enough to fool the sensor, so this attack was unsuccessful on all the tested devices.
[12:23.130 --> 12:29.470]  But for me, this test was not a failure, because the gummy bears were really yummy,
[12:29.470 --> 12:35.750]  and kept me fed during the rest of the experiments, so no failure for me.
[12:38.970 --> 12:45.020]  The problem with grease attacks is that, in most cases, a regular grease stain
[12:45.790 --> 12:52.700]  on the scanner surface is not enough to fool the sensor. We need to enhance it with other
[12:52.700 --> 13:01.880]  substances to obtain better results, impersonating legitimate users. But this substance,
[13:01.880 --> 13:10.640]  so that the user does not notice them, and also with ointment consistency, to better enhance
[13:10.640 --> 13:19.160]  the fingerprint stain. This substance could be spread in the legitimate user fingerprint,
[13:19.160 --> 13:28.300]  or in the fingerprint sensor. Using petrolatum ointment,
[13:28.300 --> 13:33.260]  paraffin, or cocoa butter lip balm, we successfully fooled the sensors,
[13:33.260 --> 13:39.620]  and were able to authenticate ourselves as the last user of the device, in optical
[13:39.620 --> 13:54.880]  and incapacitive scanners. Now we are going to see a demo. In this case, we are using
[13:54.880 --> 14:02.180]  cocoa butter lip balm. We are spreading the lip balm in the legitimate user fingerprint.
[14:03.600 --> 14:09.260]  We can see the enhanced grease stain in the fingerprint scanner.
[14:10.860 --> 14:18.200]  And then another user wearing a latex glove can be authenticated as the last legitimate user
[14:18.200 --> 14:31.240]  of the device. Now for consensual attacks. The term consensual suggests that the user
[14:31.240 --> 14:39.600]  we are taking the fingerprint from is aware of the process, and participates by pressing his or her
[14:39.600 --> 14:49.340]  finger into some kind of a mold. For molds, we use these materials, alginate, epoxy putty, play-doh,
[14:49.340 --> 14:55.900]  hot glue, and candle wax. And for casting, we use silicone, homemade ballistic gelatin,
[14:55.900 --> 15:08.130]  liquid latex, synthetic resin, and wood glue. You can see here,
[15:09.010 --> 15:19.710]  here, you can see here that the hot glue mold, of course, is the researcher's fingerprint are blurred,
[15:19.710 --> 15:27.710]  but in this part, you can see that the hot glue mold is really, it's very detailed,
[15:27.710 --> 15:41.230]  so it's a really good mold. For the molds, we obtained the best results with alginate
[15:41.230 --> 15:49.620]  and hot glue. And for casting, we obtained the best results using liquid latex, wood glue, and silicone.
[15:50.450 --> 15:58.710]  With the combination of a hot glue mold and liquid latex or wood glue casting, we were able to fool
[15:58.710 --> 16:05.530]  all the sensors. The same with the combination of an alginate mold and liquid latex casting.
[16:07.930 --> 16:15.430]  You can see here that the ballistic gelatin test didn't work. That's because ballistic
[16:15.430 --> 16:21.510]  gelatin is not so easy to make at home. We tried several combinations of gelatin powder,
[16:21.510 --> 16:26.810]  water, and glycerin, but the results were not enough to fool the scanners.
[16:27.610 --> 16:35.690]  Also, note that the working fingerprints are very thin. And please be careful if you plan to make
[16:35.690 --> 16:44.570]  hot glue molds. Let the glue cool down a bit and test the temperature under the foil and dip your
[16:44.570 --> 16:51.870]  finger in water because before, sorry, before pressing it against the hot glue, trust me, the
[16:51.870 --> 17:00.190]  glue can reach over 200 degrees. I've been there and it burns and it burns a lot.
[17:04.650 --> 17:13.210]  For unconsensual attacks, in these attacks, the user does not participate actively and latent
[17:13.210 --> 17:21.730]  fingerprints are obtained in a non-cooperative way. Assuming we have identified the correct
[17:21.730 --> 17:28.570]  latent fingerprint, we need to follow the following procedure.
[17:29.690 --> 17:37.430]  This procedure here. So, we are going to need to enhance
[17:40.050 --> 17:46.590]  the latent fingerprint with glue fumes or fingerprint powder, lift the latent fingerprint
[17:46.590 --> 17:54.030]  with a digital camera or transparent tape, digitally enhance the fingerprints with software,
[17:54.030 --> 18:00.930]  create a mold, and cast artificial fingers with silicone, liquid latex, or wood glue.
[18:01.530 --> 18:10.150]  The first option to enhance the latent fingerprint is dusting with fingerprint powder and a brush.
[18:10.150 --> 18:18.810]  The second option is encapsulating the latent print inside a container with instant glue.
[18:19.030 --> 18:25.690]  Fumes from the glue will be attached to the wrist of the latent fingerprint, making it possible to
[18:25.690 --> 18:39.930]  lift it. In this case, we obtain the best results lifting the latent fingerprints with a digital
[18:39.930 --> 18:49.030]  camera, using a fingerprint enhancement software in Python to digitally enhance the fingerprint
[18:49.030 --> 18:57.810]  image, offset printing a transparency, using the transparency as a mold, and casting it with
[18:57.810 --> 19:06.350]  liquid latex. With this procedure, we were able to fool the optical sensors. The fingerprint ink
[19:06.350 --> 19:14.170]  on a latex glove technique also worked on capacitive and ultrasonic sensors.
[19:15.290 --> 19:26.810]  You can see here that the offset plate technique didn't work, but it did not work because
[19:27.210 --> 19:34.450]  the offset plate was covered with some kind of rubber that is generally used in this type of
[19:34.450 --> 19:41.110]  plate, and the rubber interfered with the creation of the mold. But without the rubber,
[19:41.110 --> 19:55.980]  I think it's a technique that could work. For unconsensual attacks with 3D printing, we need
[19:56.740 --> 20:04.780]  an UV Resin SLA 3D printer, software to digitally enhance the latent fingerprint,
[20:07.520 --> 20:18.160]  a 3D CAD design tool, like for example Tinkercad, and a latent fingerprint in glass or a fingerprint
[20:18.160 --> 20:28.180]  inked in paper. In this case, we can use FDM or filament 3D printers for these attacks because
[20:28.180 --> 20:40.470]  we need the precision of an UV Resin printer. To obtain a working fingerprint through 3D printing,
[20:40.470 --> 20:48.130]  we need to follow these steps. First, we need to lift the latent fingerprint with a digital camera
[20:48.130 --> 20:55.090]  with macro functionality. Then, we need to use fingerprint enhancement software. In this case,
[20:55.090 --> 21:03.830]  I use a software in Python, but you can use any kind of graphic software for this task.
[21:04.310 --> 21:12.150]  Then, we need to import the enhanced image of the fingerprint into Tinkercad and configure
[21:12.150 --> 21:20.890]  the dimensions and add the reach height to create the 3D model. One negative or hollow for casting
[21:20.890 --> 21:30.590]  and one positive for direct tests. Then, we need to print the models on the 3D printer. In this case,
[21:30.590 --> 21:39.910]  the Anycubic Photon 3D printer with UV Resin. And then, we need to use isopropyl alcohol and UV
[21:39.910 --> 21:48.890]  post curing lamp or direct sunlight to complete the final curing process. At the end, we need to
[21:48.890 --> 21:58.150]  cast the models with wood glue or liquid latex. It took us 10 retries to achieve the optimal printer
[21:58.150 --> 22:07.230]  settings and reach height. But the most important step of this procedure is this one. It's the step
[22:07.230 --> 22:16.870]  four. If the step four is okay, the fake fingerprints will work in the different
[22:16.870 --> 22:27.590]  sensors and scanners. So, it's really important to configure the fingerprint length,
[22:27.590 --> 22:38.500]  height, and the reach height in a correct way. The results.
[22:40.220 --> 22:47.920]  The fingerprint obtained from the 3D model with liquid latex or wood glue casting worked on all
[22:47.920 --> 22:56.080]  sensors. And the positive fingerprint print directly on UV Resin worked on the ultrasonic sensor
[22:56.080 --> 22:59.840]  and in one of the optical sensors.
[23:01.220 --> 23:07.460]  In the optical sensor, we had to spread the fingerprint with cocoa butter lip balm or
[23:07.460 --> 23:17.140]  petrolatum for the sensor to recognize it as a finger. And here, you can see a summary
[23:17.980 --> 23:25.800]  of all the process. Here is the fingerprint enhancement, the models in Tinkercad,
[23:25.800 --> 23:33.720]  the printed models, and the casting with wood glue and liquid latex. And then, at the end, we are
[23:34.280 --> 23:43.000]  using the fake fingerprints to authenticate in an optical scanner.
[23:44.340 --> 23:56.920]  Now, we are going to see the demo of this attack. Here, we have the fake fingerprint
[23:58.480 --> 24:09.960]  and we are using it to authenticate ourselves in a Samsung S10 phone with an ultrasonic sensor.
[24:09.960 --> 24:18.720]  In this case, we use as a mold the 3D printing mold that we were talking before. And for casting,
[24:18.720 --> 24:26.900]  we use liquid latex. In this case, we use liquid latex with a skin color, but it's not necessary.
[24:26.900 --> 24:38.650]  You can use any color of latex and it will work. For biometric face recognition,
[24:39.710 --> 24:47.590]  biometric face recognition is the process and ability to identify the face of an individual,
[24:48.070 --> 24:55.350]  either to grant access to a system or to find out the details of a person by matching
[24:55.350 --> 24:59.470]  the face with the data in the biometric database.
[24:59.950 --> 25:09.050]  What a biometric face reader does is map and extract the distinct features, for example,
[25:09.050 --> 25:17.170]  these points and these points here, features of a person's face that can be used for recognition
[25:17.630 --> 25:25.010]  and stores the data in the biometric database along with the identity of the individual.
[25:25.870 --> 25:33.170]  Our next step in this research is to perform presentation attacks in face recognition systems
[25:33.170 --> 25:39.030]  by using 3D printed masks and heads to fool the different scanners.
[25:39.370 --> 25:43.050]  Now we are working on that and it's really fun.
[25:45.670 --> 25:51.270]  We published a paper of this research that you can download for more details.
[25:51.270 --> 25:57.470]  Another interesting research was made by Paul Raskaniers from Talos. We met in Switzerland
[25:57.970 --> 26:05.130]  when we were researching about using 3D printers to create fake fingerprints.
[26:05.130 --> 26:11.190]  He used the same 3D printer for the test, but different software. Also, he tested different
[26:11.190 --> 26:17.310]  devices, so if you are interested in this subject, it is worth to check it out too.
[26:17.310 --> 26:20.490]  It's the first link of the reference materials.
[26:21.270 --> 26:28.710]  Also, I have other reference materials in case some of the topics discussed in this talk
[26:28.710 --> 26:33.470]  are of interest and you want to know them a little more.
[26:37.120 --> 26:42.400]  Thank you. It was an honor to present this talk at DEFCON.
[26:42.560 --> 26:48.760]  And also thanks to my co-workers and friends that helped me with this research,
[26:48.760 --> 26:57.760]  especially Las Vivas Infosec. They are always there for me. So, stay safe, everyone.
